Detections
Analytics

Kibana 8.x < 8.19.16 / 9.0.x < 9.3.5 Multiple Vulnerabilities (ESA-2026-30 / ESA-2026-33 / ESA-2026-34 / ESA-2026-36)

high Nessus Plugin ID 318721

Synopsis

The remote host is affected by multiple vulnerabilities.

Description

The version of Kibana installed on the remote host is prior to 8.19.16 or 9.3.5. It is, therefore, affected by multiple vulnerabilities as referenced in the ESA-2026-30, ESA-2026-33, ESA-2026-34, and ESA-2026-36 advisories.

 - A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier.
 When an administrator subsequently attempts to delete this dashboard through the Kibana interface, the deletion request is redirected to an unintended internal endpoint, potentially resulting in the unauthorized deletion of user accounts or other resources. Exploitation requires an administrator to perform a delete action on the maliciously crafted dashboard object. (CVE-2026-33462)

 - Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window, enabling an unauthenticated actor in possession of the token to retrieve the associated content after expiration. (CVE-2026-33463)

 - Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion visualization expression containing deeply chained function calls. The resulting data structure grows without bound, exhausting available memory and causing the Kibana service to crash and become unavailable to all users.
 (CVE-2026-42399)

 - Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized.
 Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued from the viewing user's browser session. (CVE-2026-42401)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update to Kibana version 8.19.16, 9.3.5 or later.

See Also

http://www.nessus.org/u?e02694b8

http://www.nessus.org/u?d161a394

http://www.nessus.org/u?874e7e98

http://www.nessus.org/u?e535e43d

Plugin Details

Severity: High

ID: 318721

File Name: kibana_esa_2026_30.nasl

Version: 1.1

Type: Remote

Family: CGI abuses

Published: 6/4/2026

Updated: 6/4/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: High

Base Score: 8.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:C

CVSS Score Source: CVE-2026-33462

CVSS v3

Risk Factor: High

Base Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

Vulnerability Information

CPE: cpe:/a:elasticsearch:kibana

Required KB Items: installed_sw/Kibana

Patch Publication Date: 5/28/2026

Vulnerability Publication Date: 5/28/2026

Reference Information

CVE: CVE-2026-33462, CVE-2026-33463, CVE-2026-42399, CVE-2026-42401